Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to scan, and report on, outdated transitive dependencies #204

Closed
pmonks opened this issue Feb 27, 2023 · 9 comments
Closed

Option to scan, and report on, outdated transitive dependencies #204

pmonks opened this issue Feb 27, 2023 · 9 comments

Comments

@pmonks
Copy link
Contributor

pmonks commented Feb 27, 2023

There are cases where it is useful to know about outdated transitive dependencies, since these can (sometimes) be safely overridden in a package's own dependency set without having to wait for the intermediate dependency to release a new version with upgraded dependencies. This is especially important for libraries that are commonly found as transitive dependencies in Clojure projects, but have a long history of security vulnerabilities; Jackson being a prime example.

That said, I don't think this behaviour should be the default, and could be gated behind an option such as --transitive.

@liquidz
Copy link
Owner

liquidz commented Feb 28, 2023

@pmonks Thank you for your suggestion!
Indeed, that sounds very useful.

I'll consider implementation.

@liquidz
Copy link
Owner

liquidz commented Apr 22, 2023

@pmonks Sorry for so late reaction.
I've implemented this feature in dev branch for trial.
Could you try dev branch with --transitive option? (--no-changes is recommeded since --transitive may lead too many deps)
2023-04-22 8 06 12

@liquidz
Copy link
Owner

liquidz commented Apr 28, 2023

Moved to feature/transitive branch.

@pmonks
Copy link
Contributor Author

pmonks commented Jun 11, 2023

I tried the feature/transitive branch, but it appears to hang:

$ git clone https://github.com/liquidz/antq.git
Cloning into 'antq'...
remote: Enumerating objects: 6163, done.
remote: Counting objects: 100% (2690/2690), done.
remote: Compressing objects: 100% (1027/1027), done.
remote: Total 6163 (delta 1694), reused 2149 (delta 1640), pack-reused 3473
Receiving objects: 100% (6163/6163), 750.34 KiB | 396.00 KiB/s, done.
Resolving deltas: 100% (3662/3662), done.
$ cd antq/
$ git switch feature/transitive
branch 'feature/transitive' set up to track 'origin/feature/transitive'.
Switched to a new branch 'feature/transitive'
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Downloading: cloverage/cloverage/maven-metadata.xml from clojars
Downloading: org/slf4j/slf4j-nop/maven-metadata.xml from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.pom from central
Downloading: lambdaisland/deep-diff2/2.8.190/deep-diff2-2.8.190.pom from clojars
Downloading: lambdaisland/kaocha/1.82.1306/kaocha-1.82.1306.pom from clojars
Downloading: com/github/liquidz/build.edn/0.9.203/build.edn-0.9.203.pom from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.pom from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.pom from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.pom from central
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.pom from central
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.pom from clojars
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.pom from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.pom from clojars
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.pom from clojars
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.pom from central
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.pom from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.pom from clojars
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.pom from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.pom from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.pom from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.pom from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.pom from clojars
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.pom from central
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.pom from central
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.pom from clojars
Downloading: net/incongru/watchservice/barbary-watchservice/1.0/barbary-watchservice-1.0.jar from central
Downloading: io/methvin/directory-watcher/0.17.3/directory-watcher-0.17.3.jar from central
Downloading: com/nextjournal/beholder/1.0.2/beholder-1.0.2.jar from clojars
Downloading: lambdaisland/clj-diff/1.4.78/clj-diff-1.4.78.jar from clojars
Downloading: fipp/fipp/0.6.26/fipp-0.6.26.jar from clojars
Downloading: org/clojure/core.rrb-vector/0.1.2/core.rrb-vector-0.1.2.jar from central
Downloading: org/slf4j/slf4j-nop/2.0.7/slf4j-nop-2.0.7.jar from central
Downloading: mvxcvi/arrangement/2.1.0/arrangement-2.1.0.jar from clojars
Downloading: org/tcrawley/dynapath/1.1.0/dynapath-1.1.0.jar from central
Downloading: io/github/clojure/tools.build/0.9.3/tools.build-0.9.3.jar from central
Downloading: hawk/hawk/0.2.11/hawk-0.2.11.jar from clojars
Downloading: riddley/riddley/0.2.0/riddley-0.2.0.jar from clojars
Downloading: cloverage/cloverage/1.2.4/cloverage-1.2.4.jar from clojars
Downloading: borkdude/edamame/1.3.20/edamame-1.3.20.jar from clojars
Downloading: borkdude/dynaload/0.3.5/dynaload-0.3.5.jar from clojars
Downloading: org/babashka/cli/0.5.40/cli-0.5.40.jar from clojars
Downloading: pogonos/pogonos/0.2.1/pogonos-0.2.1.jar from clojars
Downloading: metosin/malli/0.11.0/malli-0.11.0.jar from clojars
Downloading: progrock/progrock/0.1.2/progrock-0.1.2.jar from clojars
Downloading: lambdaisland/tools.namespace/0.1.247/tools.namespace-0.1.247.jar from clojars
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.pom from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.pom from central
Downloading: org/codehaus/jackson/jackson-core-asl/1.8.9/jackson-core-asl-1.8.9.jar from central
Downloading: javax/enterprise/cdi-api/1.2/cdi-api-1.2.jar from central
Downloading: org/codehaus/jackson/jackson-mapper-asl/1.8.9/jackson-mapper-asl-1.8.9.jar from central
Downloading: com/amazonaws/aws-java-sdk/1.4.3/aws-java-sdk-1.4.3.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.pom from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-client/4.1/httpcomponents-client-4.1.pom from central
Downloading: org/apache/httpcomponents/project/4.1.1/project-4.1.1.pom from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.pom from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.pom from central
Downloading: org/apache/commons/commons-parent/11/commons-parent-11.pom from central
Downloading: org/apache/httpcomponents/httpcomponents-core/4.1/httpcomponents-core-4.1.pom from central
Downloading: javax/el/javax.el-api/3.0.0/javax.el-api-3.0.0.jar from central
Downloading: javax/interceptor/javax.interceptor-api/1.2/javax.interceptor-api-1.2.jar from central
Downloading: commons-codec/commons-codec/1.4/commons-codec-1.4.jar from central
Downloading: org/apache/httpcomponents/httpclient/4.1/httpclient-4.1.jar from central
Downloading: org/apache/httpcomponents/httpcore/4.1/httpcore-4.1.jar from central
[##################################################] 144/144
<Ctrl+C after some time>
$ clj -A:outdated --transitive
WARNING: Implicit use of clojure.main with options is deprecated, use -M
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[##################################################] 144/144
<Ctrl+C after some time>

@liquidz
Copy link
Owner

liquidz commented Jun 14, 2023

@pmonks Sorry for late reply.
Could you tell me a repository which can reproduce the hanging if possible?

@pmonks
Copy link
Contributor Author

pmonks commented Jun 14, 2023

@liquidz I just ran it on itself to begin with - the commands I used (minus output) were:

$ git clone https://github.com/liquidz/antq.git
$ cd antq/
$ git switch feature/transitive
$ clj -A:outdated --transitive

@liquidz
Copy link
Owner

liquidz commented Jun 14, 2023

@pmonks Ah, I missed that. Thank you!
It must be taking time to fetch changes URLs.

In my environment, it took some time but the results were reported.

As mentioned above(#204 (comment)), if there are many outdated dependencies, it will take time to get changes URLs, so I recommend using the --no-changes option.

$ clj -A:outdated --transitive --no-changes

@pmonks
Copy link
Contributor Author

pmonks commented Jun 15, 2023

@liquidz ah yes it works (and quickly!) with the --no-changes option. I reckon this is good to merge, if you agree?

@liquidz
Copy link
Owner

liquidz commented Jun 16, 2023

@pmonks Just released v2.5.1089 :)

@liquidz liquidz closed this as completed Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants